
TOP SECRET//COMINT//REL TO 



USA, 



FVEY 



, Cipher Detection, and You! 




Mathematics Research 



21 



Au 



TOP SECRET//COMINT//REL TO 



ust 



2008 



Group 



USA, 



FVEY 




UNCLASSIFIED 



The Protocol Stack 



Application Layer (HTTP, FTP, etc.) 



Transport Layer (T CP, UDP) 










Network Layer (IPv4, IPv6) 

s 




> 

_ ^ 








r 

Data Link Layer (PPP) 

L 






r 



Physical Layer (Copper, Fiber) 

> 



UNCLASSIFIED 



TOP SECRET//COMINT//REL TO USA, FVEY 



Data Sources 

• FORNSAT (downlink) 

• Overhead (uplink) 

• Special Source 

• Tailored Access 

• F6 

• FISA (limited) 

• 3rd party 
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• Selection of tasked CADENCE /UTT terms. 



Send hits to PINWALE/ PRESSURE WAVE. 



Tipping toTRAFFICTHIEF. 

Fingerprinting, 

SIGINT development using two rolling buffers 

• Metadata 

• Content (data) 
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Retrospective Searching 







•All data arc stored, not 
just hits. 

• Queries are distributed 
to entire network of sites, 
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Fingerprinting 

• Pattern matching against the data. 

• Session is marked, but not sent to PIN WALE. 

• Fingerprint stored as metadata, 

• Have to search for it. 

• Rich set of patterns 

• Strings have a minimum of three* anchors (fixed bytes). 

[Exception: Two bytes at the beginning of a session] 

• Regular expressions allowed (require nonoptional string of 
three* bvtes within regex) 

J O ^ 

• Context-dependent terms. 

*XKS reserves tlte right to increase this to lour. 
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Examples 

• fingerprint (' encryption/helixstronghold’ , 
7,0) = 'helix stronghold encrypted file'; 



• fingerprint ( ' encryption/wharf rat ' , 3.0) = 
' \xd6\x56\x34\xb7\x80\x05\xfe\x8b ' c and 

' \xaf \x52\x72\x60\xdd\xfe\x72\xc2 ' c and 
(port (443) or port(80)); 

• fingerprint (' encryption/ the_algorithm' , 
3.0) = 

/-XYZ- .{0,30 }mp [eg] / ; 
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Syntax Features 

• Case Sensitivity 

fingerprint ( ' certif icate/digital_id ' ) = 

' -BEGIN CERTIFICATE- ' c ; 

• Full Boolean logic 

• Grouping with parentheses 

• Operators: and, or, not 

• Variables 

$udp = protocol ( ' udp ’ ) ; 

fingerprint ( ' vpn/openvpn/x509/wera ’ ) = 
$udp and ’ openvpn wera ' c ; 
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Available Functions 

• port 




fingerprint ( ' encryption/ kryptel ' ) = 
hex ( ' E8E2454300040004635C4EE9A2F9D111A 
489E498F70C0B43404F4BFA50F2D111A4898E6 
30458E285' ) ; 

• pos 

fingerprint ( ' encryption/ cipherpad ' ) = 
pos ( ' CPADl ' c) < 4000; 
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• Distance (similar to pos, but for distance between tokens) 

• Lpos 

Spop_basic = lpos('+OK 'c) or ’\nQUlT'; 

• First 

appid('mail/ smtp /. . — first('ehlo') and . . . ; 

• Last (similar to first) 

• Follows (one token after another) 

• Between (one token between two others) 

• Order 
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Other Features 

• Fingerprint definitions updated hourly throughout the entire 
enterprise. 

• Workflows 

• Submit through user interface. 

• Standing queries that run like cron jobs. 

• Limited follow-on processing. 

• User interface for fingerprint submission (coming soon). 

• Currently done by XKS personnel. 
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Plug-ins 

• Full power of C++ for when pattern matching does not 
suffice . 

• Usually limited to certain file types 

• Huge JPEG volume from web surfing 

• Current steg/ encryption plugins that fingerprint sessions: 

• PHOSPHORESSENCE library of steg detectors 

• SHELLLOCK steg detection 

O 

• SEDENA indigenous encryption software 

• Drawback: Must wait for site upgrade to deploy. 
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Tra d e-off 

• Fingerprints easily deployed, but limited to pattern 
matching. 

• Plug-ins slow to deploy, but allow for complex testing. 

• New compromise: 

• Snippets of C++ code in fingerprint 

• Deployed hourly like fingerprint with most of the flexibility of a 
full plug-in. 

• Very complicated tests probably still need to be plug-ins. 

• Currently stood up at only a few sites. 
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Example 

fingerprint { ' encryption/ archive/rar ’ ) = 

' \x52\x61\x72\x21\xla\x07\x00 ' c 

: C++ {{ 

const uint8_t *ptr = 

find_first{"\x52\x61\x72\x21\xla\x07\x00") ; 
if (ptr == NULL) 
return false; 
if (end()-ptr < 64) 
re turn false; 

if ( {ptr [23] &0x04) != 0x04) 

re turn false; 

if ( {ptr [10] &0x80) != 0x80) 
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Advanced Feature 



• Follow-on check with anchorless regexes: 

%dhcp_check = regex { { 

^ [\x01\x02] [\x01- ] \x06 . *c\x82sc 

}}; 



appid ( ' netmanagement/dhcp/client_to_server ’ , 
3.0) = 

from_port (68) and tojort(67) 

: %dhcp check ; 
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Releasability Issues 



Nearly all XKS personnel have PICARESQUE! 
• Those that don’t have PRIVAC. 



XKS distribution comes in two flavors 
• 1 St & 2nd party 



3rd party 

No NOFORN capabilities permitted. 

Special dispensation from 
SMOKYSINK. 




for some capabilities to 



Can keep PICARESQUE code running on R1 ’s rednet if 

absolutely necessary. 
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